A TLSA record is an entry in the Domain Name System that can be used to verify certificates and the authenticity of a server of a particular domain. The records are used for DNS-based Authentication of Named Entities (DANE) and eliminate the need to check a certificate via a Certificate Authority. DANE is used for communication with encrypted websites or the encrypted exchange of e-mails.
What is a TLSA record?
TLSA records are used as part of the DANE (DNS-based Authentication of Named Entities) procedure, which is standardized in various RFCs, for DNS-based verification of certificates. The aim is to rule out the manipulation of certificates due to problems or weaknesses at certificate authorities (CAs) by enabling the authenticity of the server certificate of a specific domain to be checked directly via the Domain Name System.
The TLSA record has a predefined format and contains various elements such as port, protocol, hostname, TLSA information fields, and hash value. The presence of a TLSA record also informs a requesting client that an encrypted connection is to be made. DANE and TLSA records are used on the Internet to transmit web page information encrypted via HTTPS or to exchange encrypted e-mails. Add-ons for using TLSA records and DANE exist for browsers such as Mozilla Firefox or Google Chrome.
Objective and basic functionality of DANE
The abbreviation DANE stands for DNS-based Authentication of Named Entities. DANE provides additional security for data traffic encrypted via TLS (Transport Layer Security) on the Internet in that certificates are no longer dependent on trusted certification authorities but can be checked directly via the Domain Name System.
Technically, DANE links X.509 certificates with TLSA records in the corresponding DNS zone. The procedure can also be used to issue one’s own certificates without a CA. The background to this is that there have been repeated problems with the trustworthiness of certificate authorities in the past and manipulation or misuse of certificates cannot be ruled out. DANE is used in combination with DNSSEC to secure DNS communication.
Structure and components of a TLSA record
A TLSA record has a standardized format and can look like this, for example:
_443._tcp.www.beispieldomain-abs.xyz. TLSA 3 1 1 CA43DC21A123BB18182233111...
The first element of the TLSA record is the port number on which the TLS server can be accessed such as port 443 in the example. This is followed by the protocol to be used such as TCP, UDP, or others. After that is the hostname (domain name) of the TLS server. The abbreviation “TLSA” is followed by three single numbers separated by spaces and the final hash value in hexadecimal notation. The three numbers specify how the hash value was determined and how the client should check the hash value. They stand for:
- TLSA Certificate Usage: number between 0 and 3
- TLSA Selector: Number 0 or 1
- TLSA Matching Type: number between 0 and 2
TLSA Certificate Usage instructs the client whether or not to perform a trust chain check. If trust chain checking is disabled, self-signed certificates can be used. The Selector provides information about whether the entire certificate was hashed or only the public key. The Matching Type specifies, for example, whether an SHA-256 hash or an SHA-512 hash is used.
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.